US law enforcement biggest recipient of Microsoft customer data

Microsoft joins Google and Twitter with new transparency report.

Following the lead set by Google and Twitter, Microsoft has published its first transparency report, tabulating the number of requests for customer data made by law enforcement around the world, the number of responses given, and what kind of information was included in those responses.

Microsoft responds to requests for data in 46 countries, those where it says it can properly verify the legitimacy of the requests. In 2012, a total of 70,665 requests were made. The country making the most demands for data was Turkey, with 11,434. The US was in second place, with 11,073. Each request could concern multiple users, with a total of 122,015 users covered by requests.

When it comes to the number of requests that returned customer data, however, the US was the clear leader. Of 1,558 requests that resulted in disclosure of some customer content, such as the subject or body of an e-mail or a photograph on SkyDrive, 1,544 were made in the US. The other 14 were split between Brazil (7), Canada (1), Ireland (5), and New Zealand (1).

Requests involving only what Microsoft calls "transactional" data were much more evenly distributed. These requests, that might yield information such as an IP address, a name, or a billing address, were far more numerous, with almost 80 percent of all requests resulting in disclosure of this kind of information.

Turkey took the top spot here, with 8,997 disclosures of transactional information, with the US, UK, France, and Germany, all receiving 7,000-odd responses.

A minority of requests didn't result in any information disclosure. In 16.8 percent of cases, no relevant data for the accounts queried was found. Again, Turkey led here, with 2,433 requests not yielding data, with the US, UK, France, and Germany following. Some requests were also rejected for not meeting legal criteria. Almost all of these—759 out of 866 total—came from the US.

Microsoft's report breaks out data surrounding Skype separately. Skype has historically had a different reporting and recording system, so Microsoft says it can't provide the same breakdown of outcomes, though in future it will change how it collects the data so that it can provide this level of detail. The Skype data also spans a different set of countries.

The UK made the most Skype requests, making 1,268 out of a total of 4,713. The US made the second most requests, 1,154. In all, law enforcement asked for information about 15,409 different Skype accounts. None of the requests resulted in disclosure of customer content, but an undisclosed number resulted in disclosure of transactional data.

Slightly more detailed information exists for the second half of 2012. In that period, Skype's compliance team found no information about 2,847 of the accounts queried. The Skype team also provided "guidance" to law enforcement, such as an explanation about why a request was rejected or information about the process for obtaining data, in 501 cases.

Going forward, Microsoft plans to update the report every six months.

The company also provided information beyond that contained in the report. Strikingly, Microsoft addressed only 11 requests that concerned enterprise customers using Office 365, Azure, or other cloud services. Of those 11, seven were rejected outright or redirected to the customers' own legal departments. The remaining four, that resulted in some information disclosure, were either done with the customers' consent, or after following the terms of the enterprise contracts.

Over 2012, Google in comparison had 42,327 requests in total, concerning 68,249 accounts. Of these, 16,407 were made in the US, and about 14,600 resulted in information being disclosed (Google provides no data about whether the information is content or transactional). As such, Google receives more requests about US data than Microsoft, and responds to a higher proportion: 89 percent for Google, 79 percent for Microsoft.

Conversely, Microsoft responded to far more requests outside the US. Of 25,920 non-US requests, Google responded to barely half: 13,478, or 52 percent. Microsoft attributes this difference in non-US reporting to its greater presence in countries around the world, which makes it easier for courts and law enforcement agencies to contact Microsoft to request data.

The lack of information about Skype may frustrate an on-going effort by privacy advocates and activists to get Microsoft to publicly state what data it can collect from Skype users, what data it does collect from Skype users, what its procedures are when asked for data, and what its relationship is with TOM Online, a Chinese company that operates licenses Skype's technology for use in China and that provides a modified Skype client that performs censorship of Skype chats. These concerns were raised in an open letter published in January. Microsoft is yet to respond to the letter.

Though today's transparency report does provide some of the information requested, it also indicates that Microsoft doesn't have all the data that the open letter's signatories would like. Future records should be more complete, however.

I always told my clients, if you're gonna do anything illegal, don't do it on a Microsoft platform.

I tell my students to compute the expected return in dollars per hour, not forgetting the 25 years in Leavenworth. I also tell them that encryption may make them safer, but not to bet their lives on it.

Regarding lawful interception of Skype - note the following in the FAQ section:

Quote:

What is Microsoft and Skype’s position on CALEA?

The U.S. law, Communications Assistance for Law Enforcement Act, does not apply to any of Microsoft’s services, including Skype, as Microsoft is not a telecommunications carrier. Skype is an independent division headquartered and operating under Luxembourg law.

Sounds like an indirect way of saying "No, we don't do interception"...

Regarding lawful interception of Skype - note the following in the FAQ section:

Quote:

What is Microsoft and Skype’s position on CALEA?

The U.S. law, Communications Assistance for Law Enforcement Act, does not apply to any of Microsoft’s services, including Skype, as Microsoft is not a telecommunications carrier. Skype is an independent division headquartered and operating under Luxembourg law.

Sounds like an indirect way of saying "No, we don't do interception"...

It sounds more like "we're not legally required to perform that service to law enforcement, but choose not to comment directly on it's availability" to me.

Over 2012, Google in comparison had 42,327 requests in total, concerning 68,249 accounts. Of these, 16,407 were made in the US, and about 14,600 resulted in information being disclosed (Google provides no data about whether the information is content or transactional).

That's not quite true for the second half of 2012. The Google transparency report for that half breaks down information requests Google received by "Search Warrant", "Subpoena", and "Other". As Ars covered in January, Google requires a search warrant to provide user content to law enforcement, which means you can say content was disclosed in no more than about 22.5% of user data requests by the US in the second half of 2012. That looks like a slightly higher legal bar than Microsoft uses, who doesn't seem to differentiate between a court order and a search warrant (both require a judge's oversight, but a warrant requires demonstration of probable cause).

It's great to see Microsoft release this data, and *really great* to see even more companies embracing U.S. v. Warshak and so not disclosing user data for just a subpoena.

Quote:

Legal Process – Google Transparency ReportSubpoenaOf the three types of ECPA legal process, the subpoena has the lowest threshold for a government agency to obtain. In many jurisdictions, including the federal system, there is no requirement that a judge or magistrate review a subpoena before the government can issue it. A government agency can use a subpoena to compel Google to disclose only specific types of information listed in the statute. For example, a valid subpoena for your Gmail address could compel us to disclose the name that you listed when creating the account, and the IP addresses from which you created the account and signed in and signed out (with dates and times). Subpoenas can be used by the government in both criminal and civil cases.

On its face, ECPA seems to allow a government agency to compel a communications provider to disclose the content of certain types of emails and other content with a subpoena or an ECPA court order (described below). But Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable search and seizure.

Court OrderUnlike for an ECPA subpoena, obtaining an ECPA court order requires judicial review. To receive an ECPA court order, a government agency must present specific facts to a judge or magistrate demonstrating that there are reasonable grounds to believe evidence of a crime or contraband will be found within the requested information.

With such a court order, a government agency can obtain the same information as a subpoena, plus more detailed information about the use of the account. This could include the IP address associated with a particular email sent from that account or used to change the account password (with dates and times), and the non-content portion of email headers such as the "from," "to" and "date" fields. An ECPA court order is available only for criminal investigations.

Search WarrantThe threshold is higher still for an ECPA search warrant. To obtain one, a government agency must make a request to a judge or magistrate and meet a relatively high burden of proof: demonstrating "probable cause" to believe that contraband or certain information related to a crime is presently in the specific place to be searched. A warrant must specify the place to be searched and the things being sought. It can be used to compel the disclosure of the same information as an ECPA subpoena or court order—but also a user's search query information and private content stored in a Google Account, such as Gmail messages, documents, photos and YouTube videos. An ECPA search warrant is available only in criminal investigations.

I always told my clients, if you're gonna do anything illegal, don't do it on a Microsoft platform.

Or any other company that complies with law enforcement information requests. Read: A lot of them.

Or you could suggest not to perform illegal actions? Crazy, I know.

Or you know, maybe you live somewhere that your government finding out your thoughts and feelings on "sensitive" topics could land you somewhere with a pair of electrodes on your testicles while you are getting waterboarded. And that government might be the U.S. Crazy, I know...

Also, just because some thing is declared illegal doesn't mean it right. There are many, many shades of grey between child pornographer, potential mass shooter, terrorist( although that term has kind of lost its value as it applies to anyone a powerful interest doesn't like ), and someone trying to fight against the evil that is deeply rooted in every government and police / military in the world.

What happens when the government turns evil? We've never lived in a time in which the governing bodies have had such immediate and deeply personal access to people's lives, access that can very often not be avoided. And people scoff at the notion of a world-wide marking system.

"Some requests were also rejected for not meeting legal criteria. Almost all of these—759 out of 866 total—came from the US."

That is bizarre. USA law enforcement makes about 15% of the total global number of requests but makes over 85% of the total legal mistakes compared to all other non-US nations put together.

I could understand law enforcement services from Turkey or some other non-US country not fully understanding the legal criteria right for a data disclosure request to a US company, but it seems they all get it more or less right.

I'd expect *USA* law enforcement to have a better grasp of their own national legal criteria for disclosure requests to a USA company.

Really poor headline for this article. It seemingly spins a good thing (MS giving us a transparency report to let us know what law enforcement is requesting) into something else and sets the tone and attitude before the reader actually gets into the article.

Want to know the biggest recipient of customer data from just about any business that does business in the United States? The answer is exactly the same: The US government.

Why would we believe them or any other company? Specifically, would Microsoft tell us if it had a back door into all of its security measures?

Tinfoil hat much?

Seriously, why would they -want- to?

No, there are no intentional backdoors in any of their programs.

Unintentional ones, of course, are present. They always are on any program of non-trivial complexity.

Digger wrote:

I always told my clients, if you're gonna do anything illegal, don't do it on a Microsoft platform.

Really doing it on a Microsoft platform is safer than doing it on another platform.

Chuck Knucka wrote:

And this is just the stuff that law enforcement is getting through legal means. I'd like to see a transparency report from Verizon and AT&T about how much data the NSA is siphoning off their networks.

I assume "everything".

SuperJB wrote:

What happens when the government turns evil? We've never lived in a time in which the governing bodies have had such immediate and deeply personal access to people's lives, access that can very often not be avoided. And people scoff at the notion of a world-wide marking system.

Paranoid much?

Really though, its not worth worrying about. The government can't actually really accomplish much without the bureaucracy, which is basically built up to make sure that our elected officials have as little power as possible. Kind of amusing and sad really.

redtomato wrote:

That is bizarre. USA law enforcement makes about 15% of the total global number of requests but makes over 85% of the total legal mistakes compared to all other non-US nations put together.

It tells us nothing really, though. There's a lot of plausible reasons for it. My guess is some combination of:

1) Some people in the US are trying to abuse the system, and are failing.

2) Some people in the US think they understand, and don't, whereas people making requests of a company in a foreign country are more likely to do the research as to what they actually need to do.

The U.S. government ignores human rights more than anyone else. We're living in the final days of freedom.

The US cares more about human rights than almost anyone else, really. Even the countries which claim to care more than the US seldom do anything about it outside of their own country. The US exports human rights.

Man, that VPN and Tor thing aren't sounding so unnecessary anymore, and I'm one of the good guys that has no record and no need to hide or worry.

Same here. I know I do nothing illegal but I simply don't trust law enforcement enough to take chances.

I just started using BTGuard on my Mac. Works great, speed is comparable to home broadband, with about 20 gateways, half of which are outside the US. I use the Switzerland gateway as there's no law that requires logging. It's about $7/mo.

Why would we believe them or any other company? Specifically, would Microsoft tell us if it had a back door into all of its security measures?

Tinfoil hat much?

Seriously, why would they -want- to?

No, there are no intentional backdoors in any of their programs.

Unintentional ones, of course, are present. They always are on any program of non-trivial complexity.

Digger wrote:

I always told my clients, if you're gonna do anything illegal, don't do it on a Microsoft platform.

Really doing it on a Microsoft platform is safer than doing it on another platform.

Chuck Knucka wrote:

And this is just the stuff that law enforcement is getting through legal means. I'd like to see a transparency report from Verizon and AT&T about how much data the NSA is siphoning off their networks.

I assume "everything".

SuperJB wrote:

What happens when the government turns evil? We've never lived in a time in which the governing bodies have had such immediate and deeply personal access to people's lives, access that can very often not be avoided. And people scoff at the notion of a world-wide marking system.

Paranoid much?

Really though, its not worth worrying about. The government can't actually really accomplish much without the bureaucracy, which is basically built up to make sure that our elected officials have as little power as possible. Kind of amusing and sad really.

redtomato wrote:

That is bizarre. USA law enforcement makes about 15% of the total global number of requests but makes over 85% of the total legal mistakes compared to all other non-US nations put together.

It tells us nothing really, though. There's a lot of plausible reasons for it. My guess is some combination of:

1) Some people in the US are trying to abuse the system, and are failing.

2) Some people in the US think they understand, and don't, whereas people making requests of a company in a foreign country are more likely to do the research as to what they actually need to do.

Tell that to the FBI. All they have to do is show up at your house with a "national security letter" and you have to comply and you can't tell anyone about it. No warrant, no probable cause, nothing.

Tell that to the NSA, who just finished a facility in Nebraska and pretty much monitors all internet traffic, including that from the US.

What happens when the government turns evil? We've never lived in a time in which the governing bodies have had such immediate and deeply personal access to people's lives, access that can very often not be avoided. And people scoff at the notion of a world-wide marking system.

Define: evil.

This is a matter of law. Neither side may be technically breaking a law, but this is something that many people are finding offensive to their sense of right and wrong, or fair and unfair. However, law is sometimes used to enforce a minority's will upon a society that may or may not agree with said law, yet said society will still enforce said law and follow it because the law is the "written contract" by which we've chosen to abide by. When people get collectively pissed-off enough that it scares the people writing laws into doing something differently or it is enough to make that society take significant actions towards change we'll see what we call "better behavior".

TL;DR..... "'People shouldn't be afraid of their government. Governments should be afraid of their people". And our government, for quite some time now, has not been afraid of us.

Beyond the federal government, there are 50 states, with an average of 63 counties in each state, not to mention the 18,000 or so cities and towns in the US, each of which can initiate their own civil and criminal investigations.

The U.S. government ignores human rights more than anyone else. We're living in the final days of freedom.

The US cares more about human rights than almost anyone else, really. Even the countries which claim to care more than the US seldom do anything about it outside of their own country. The US exports human rights.

That doesn't mean that they are not hypocrites.

That's sarcasm, right?

Small example for the US human rights export? Right now (there is a live stream available) there is an ongoing genocide trial in Guatemala against Efrain Ríos Montt, the former de facto dictator of Guatemala. The US government was intimately involved in orchestrating, funding, and propping up to power the Guatemalan generals who led the bloody civil war that killed at least 200,000, and left tens of thousands more "disappeared."

The U.S. government ignores human rights more than anyone else. We're living in the final days of freedom.

The US cares more about human rights than almost anyone else, really. Even the countries which claim to care more than the US seldom do anything about it outside of their own country. The US exports human rights.

That doesn't mean that they are not hypocrites.

That's sarcasm, right?

Small example for the US human rights export? Right now (there is a live stream available) there is an ongoing genocide trial in Guatemala against Efrain Ríos Montt, the former de facto dictator of Guatemala. The US government was intimately involved in orchestrating, funding, and propping up to power the Guatemalan generals who led the bloody civil war that killed at least 200,000, and left tens of thousands more "disappeared."

I'm always suspicious of OEM intent when it comes to closed-source FDE, but in this case, you're off-target. COFEE and other Microsoft/LEO tools are useless against Bitlocker. MS LE training docs (leaked) specifically note Bitlocker's threat against "lawful" searches, and that there's no convenient back door.

Small example for the US human rights export? Right now (there is a live stream available) there is an ongoing genocide trial in Guatemala against Efrain Ríos Montt, the former de facto dictator of Guatemala. The US government was intimately involved in orchestrating, funding, and propping up to power the Guatemalan generals who led the bloody civil war that killed at least 200,000, and left tens of thousands more "disappeared."

Every power which has any amount of power has been linked to such things.

Even freaking Norway has been implicated in human rights abuses in Burma in the last five years - forced labor, killings, ect. And its Norway!

The truth is that everyone who is ever involved in third world countries is going to be at least somewhat associated with at least one atrocity. The US, having more influence than any other country, is going to be linked to more countries with atrocities.

Its not right, but that doesn't mean that the US is especially bad about it, especially given that the US does in fact advocate for human rights, gives foreign aid to help other countries (large amounts of it) get better, and even has militarily intervened several times. No matter what the US does, they get whined at. Go into Somalia? People complain. Don't go into Rwanda? People complain.

Its a no win situation and claiming that the US is a callous human rights abuser is simply not backed by the evidence. The US DOES care about human rights... but they do abuse them at times as well.

Small example for the US human rights export? Right now (there is a live stream available) there is an ongoing genocide trial in Guatemala against Efrain Ríos Montt, the former de facto dictator of Guatemala. The US government was intimately involved in orchestrating, funding, and propping up to power the Guatemalan generals who led the bloody civil war that killed at least 200,000, and left tens of thousands more "disappeared."

Every power which has any amount of power has been linked to such things.

Even freaking Norway has been implicated in human rights abuses in Burma in the last five years - forced labor, killings, ect. And its Norway!

The truth is that everyone who is ever involved in third world countries is going to be at least somewhat associated with at least one atrocity. The US, having more influence than any other country, is going to be linked to more countries with atrocities.

Its not right, but that doesn't mean that the US is especially bad about it, especially given that the US does in fact advocate for human rights, gives foreign aid to help other countries (large amounts of it) get better, and even has militarily intervened several times. No matter what the US does, they get whined at. Go into Somalia? People complain. Don't go into Rwanda? People complain.

Its a no win situation and claiming that the US is a callous human rights abuser is simply not backed by the evidence. The US DOES care about human rights... but they do abuse them at times as well.

I think it's important to hold in mind that by and large, no government is innocent of these things. At some point and time in history, every country can have heinous acts tied to it. The current direction of those countries, and their behavior in general, should be noted.

As the old saying goes, "what have you done for me lately..." comes to mind.

Tell that to the FBI. All they have to do is show up at your house with a "national security letter" and you have to comply and you can't tell anyone about it. No warrant, no probable cause, nothing.

You apparently missed that ruling a week back.

Also, NSLs are limited in what they can make you give up anyway.

Quote:

Tell that to the NSA, who just finished a facility in Nebraska and pretty much monitors all internet traffic, including that from the US.

I'm well aware of the facility. Hence the "everything" I noted above. Note that there's nothing preventing any sort of private individual from doing the same thing, really, except for cost.

I know about the ruling saying that the NDA someone is forced to sign is illegal but I believe the FBI is in the process of appealing. And the NSLs themselves were not ruled illegal. Plus, the FBI has been shown to use them quite liberally for a range of reasons.

And yes, a private citizen could in theory do the same thing the NSA plans in Utah. But this theoretical private citizen would be just that. The NSA is part of the government and its considerable limits on monitoring of US citizens.

I always told my clients, if you're gonna do anything illegal, don't do it on a Microsoft platform.

Or any other company that complies with law enforcement information requests. Read: A lot of them.

Or you could suggest not to perform illegal actions? Crazy, I know.

Whistleblowing is considered illegal in the USA. The DoJ is currently vigorously prosecuting a number of whistleblowers who tried to save the American taxpayer money or report on the illegal activities of their superiosrs.